OS X’s huge out-of-the-box security hole, and a fix

An enormous Mac OS X selling point has been it’s rock solid security, so one would be pretty enraged to find there is a gaping hole sitting in the operating system that has been reported many times and marked as “behaving normally,” while enabling anyone with GUI access to run as root and do basically anything they want to your computer. Apple has obviously been made aware of this issue, and the worst part is, it has been around at least since Panther—over five years ago.

What exactly is this issue? Well, the issue in and of itself may not seem incredibly malicious. The problem lies in AppleScript, and the fact that Applications running as “root” (which basically gives complete access) can accept AppleScript commands from applications which are not running as root. Developer and MacNN forum member Charles Srstka notes that he has sent this in as a bug to Apple many times, and yet it has been labeled as “Behaves Correctly” and dismissed. Furthering the issue is the fact that all Cocoa applications automatically have basic AppleScript support, so any Cocoa application running as root can recieve these malicious AppleScript commands.

This may seem inconsequential. After all, applications can’t run as root unless you tell them too, right? And any app that wouldn’t listen to your direction isn’t one you’re likely to install, right? Well, not only are some seemingly benign applications running as root, intentionally or not, there is an application that is part of every Mac OS X installation that runs as root and thus can accept these commands, ARDAgent. To prove this, you can enter the following in Terminal [Editor's Note: And be careful, as Terminal can be dangerous if you don't know what you're doing.]:

osascript -e ‘tell application “ARDAgent” to do shell script “whoami”‘

This asks the application to tell who it is running as. The response will be “root.”

Luckily, there is a fix, and it is relatively simple. First, I recommend running “Repair Permissions,” because, after this “fix,” running Repair Permissions will undo the fix. Next, you will need to enter the following command into Terminal, all on one line:

sudo chmod 755 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

Hit enter, and type your password. Note: It will not appear, but you are typing it. Hit enter after typing your password. Now, the application is not running as root, and you are much safer from any exploits.

What astounds me about this is that it is not hard at all to figure out the enormity of this problem, and yet, for possibly over five years now, Apple developers have been ignoring it. Want to help get it fixed? Submit a bug report. You will need a free ADC account. Visit Apple’s Bug Report Form and explain the issue, or link to this or another article or webpage explaining the issue. If you really don’t want an ADC account, submit a report using the OS X Feedback Form, which may or may not recieve as much priority.

Discussion [MacNN Forums]